Video Screencast Help
Endpoint Security Blog

Forefront Endpoint Protection 2010 - the new SEP?

Created: 16 Dec 2010 • Updated: 31 Dec 2010 • 10 comments
dschrader's picture
+7 7 Votes
Login to vote

Today Microsoft introduced Forefront Endpoint Protection 2010.  4 years after Symantec they finally introduced Integration with Configuration Manager, Vulnerability Shielding and Firewall Management – the equivalents of which have all been in Symantec Endpoint Protection for the past 4 years.   

The new version of Forefront still lacks functions we consider essential to endpoint security, including:

  • Device control
  • Application inventory or application control (outside of AppLocker)
  • Access control self enforcement
  • Mac & Linux support – only a promise that sometime next year “details on the timing of the Mac/Linux release will be available”
  • Optimizations for virtual environments - no resource leveling – no way to prevent av storms in virtual environments
  • Bootable recovery disk or a tool equivalent to Symantec’s Power Erasure

A few additional thoughts:

1.  It appear that Forefront will provide poor protection for Windows XP users.  The Windows XP version of the Microsoft scanning engine has very different malware detection rates then the W7 version.  In fact Microsoft's Security Essentials for Windows XP failed AV-Test.Org’s certification for malware detection.  For the results, see:

2.      Forefront is dependent on System Center Configuration Manager and Active Directory for management and reporting

3.      Forefront relies on the Windows firewall – which is far less functional than that offered by Symantec.

4.      Gartner has long considered Microsoft a “niche player” in the endpoint security arena, lacking vision.  In a few weeks the next magic quadrant from Gartner will be released.  We do not expect Microsoft to improve their placement.

5.  Microsoft has included something called, “Dynamic Signature Service”  This feature checks suspicious files against an online blacklist of known malicious files.  While it is nice that Forefront offers what essentially is fast access to signature files, this is not a “reputation” service and it is far less effective than the Insight technology (Ubiquity) that Symantec has announced.

Forefront lacks protection you need.  Worms such as Stuxnet spread primarily by USB device.  Without device control, Forefront customers are helpless in the face of future such attacks.  Forefront lacks support for Mac and Linux, it lacks application control, it’s virus protection on Windows XP is weak.  Sure, it may be free for some Microsoft customers, but with Forefront you do get what you pay for.

Comments 10 CommentsJump to latest comment

Aaed Alqarta's picture

MS must revise their product roadmap to include the missing features, so then they can call it a true "endpoint security" product.

People may argue that (Device control, Application control, self-enforcement, ..etc) are not necessary for securing desktops, here is my reply:

1- Many malwares will stop/disable/corrupt critical services or local security policies to degrade security settings and make infection easier and faster.

E.g, Conficker will stop and disable windows update services which will prevent workstations from communicating with update servers (WSUS / Windows Update) and download latest/missing security/critical patches.

Solutions: SEP HI (Health Integrity) policy can be used to fix any insecure deviation like the above mentioned. Pre-defined templates for critical windows security settings including Windows update are already existed to help customers start securing network (Domain/Workgroup).

So if a client is compromised, security configuration would be manipulated (Conficker) to allow malware propagation. This’ll keep systems open for attacks; SEP will reverse them back to the correct ones.

I've used WSUS before and sometimes many workstations failed to install a critical or security update due to many reasons:

A. GPO that blocks installing files/programs

B. Corrupted windows update files/configuration

C. Windows update services are stopped/disabled due to infection or previous admin policy

D. other reasons

With SEP HI template, you can install missing windows updates that were downloaded (if service was running) and waiting to be installed.

SEP agent has been engineered to block any process/service tampering by users/malwares. So be sure that malware tampering to stop SEP (including installing patches) will fail.

2. Device control proved to be an aggressive front-line against known/unknown threats. I've personally tested this inside multiple enterprise customers (2000+) and found out that virus risk reports before/after device control were highly different. So why would I leave USB/CD/Floppy allowed and let AV deal with thousands of malwares. Think Defense-in-depth when you design network/endpoint security.

Finally, I would add that MS Forefront works well from the licensing point-of-view for enterprise customers only. SMB-to-Medium will need to install SSCM server (Do you need to remind me about time, effort and be NASA-certified in integrating multiple MS products and components from the first time?) and a system admin with SCCM skills.

Last word, SEP + SNAC self-enforcement is a single-product, single management server, single console, and single agent. 

Note: MS just released (Microsoft Security Essentials 2) so product testing/certification must be run again by 3rd-party. I think MS became wise when they included (Network Attacks Inspection) to block exploits and attacks at the network level.

Authorized Symantec Consultant - Symantec Certified Specialist - Experts-Exchange Certified Guru

Please don't forget to mark your thread solved

Login to vote
xlloyd's picture

Lol, wow. Thanks for this article =]

Leave it to Microsoft to develop something like this =P. It's typical of them to release a half-finished product (eg. Windows Vista).

In any case, Symantec has firmly established it's place at the top regardless of what any other vendor would like to say! Thanks again for the informative article!

If this post has helped you, please vote up or mark as solution
Login to vote
Chad Anderson's picture

I think you should try focusing on the flaws of your own product instead of pointing out the problems with others.  I have been using SEP for 10+ years and I can say there is not much reason to stick with it. 

  • Support:  It takes days (yes days) to get answers and most of the time they are the wrong answers.  This is the number one reason why we are looking elsewhere.
  • Detection:  I continually get computers with infection even though SEP is running and updated.  They are not even new viruses, they have been out for months.  How can I justify keeping a product that doesn't even provide basic virus protection.
  • Performance:  I can't run any sceduled scans during the week otherwise end users complain of slow performance.   

So FEP may have the very flaws listed above but at this point I would rather take those flaws then stick with SEP.

Login to vote
xlloyd's picture

Ouch! Harsh much bro. I guess it's the wake up call Symantec needs.

Care to share the names of some of the viruses that pass by SEP?

Also, (I assume you are but just to double-check) are you regularly updating the signature database?

About your scheduled scans? Since you don't run them in the you do it on weekends? I'd suggest you link up with the head of IT and have him do some scripting to boot the machines, login locally, scan, and shut down on weekends.

Can't really speak to your support issue as I'm no Symantec Employee =/

- xlloyd

If this post has helped you, please vote up or mark as solution
Login to vote
Chad Anderson's picture

Like I said, I have used them for over 10+ years and it will suck having to switch.  The Mail Security product with Anti-Spam is the best I have ever seen.  It kills me to have to swith to something else just because it takes forever to get support.  I could tell them nothing and just switch over to the first new product I find.  But that won't help me.

To answer your questions:

Our AV server checks for updates every 2 hours.  We update to the latest version of SEP every 6 months to a year. It would take me a bit to hunt down the latest viruses.  I also know that all AV's are not perfect but tell that to the Director that just got a virus on his computer.  I am the head of IT and we run the scans over the weekend but almost half of my computers are laptops so they are not here to boot up.

I am also not posting this just to be one of those guys.  At the last convention I was at I spent about 30 minutes at the booth talking with them about my issues.  Some of the people there aggreed with me.  I just want to get my concerns out so they know why people are moving away from their products.

Login to vote
xlloyd's picture


I completely understand. It does suck and I'm sad to hear that its so bad that you'll have to switch =(

10 years in a long time but a head of IT's gotta do what a head of IT's gotta do I guess. I just hope that you don't run into the same problem if/when you make the switch. It would especially suck if all this was because the laptop users don't run their scans at home and pick up viruses like that =/

- xlloyd

If this post has helped you, please vote up or mark as solution
Login to vote
profman87's picture

Microsoft is and has never been about pioneering technology. They buy what they like and integrate it, or if they cant buy it, they wait until they can copy it. Sorry folks, but dont be angry at them for looking out for keeps Bill Gates a wealthy nerd. 

Login to vote
lernebo's picture

Many organizations are being solicited by Microsoft with the Enterprise Agreement Bundles and this is being touted as a "bonus". However. what needs to be explained to management, is that you will most likely be moving Endpoint Security management away from the Security people, and putting it in the hands of the software deployment personnel.

With the SEP architecture, you can keep a fully functional, feature rich environment separate from the SCCM/SCOM environment and ensure separation of duties.

Login to vote
meraj2k's picture


We have Installed Microsoft Fore Front recently on our server and then installed Symantec Endpoint 11 (64 bit) on it. Installation was successful but after we restarted the server it gives blue screen and thats it. We had to   re-install the server 2008 & Microsoft Fore Front again.

Now I am looking for solution how to Install Endpoint 11 on server.

Kindly lets solve this problem asap.

Thanks & Best Regards,


Login to vote
Wzrd1's picture

FEP is the only antivirus system around that I'm aware of that requires anyone running reports to be both the database administrator and have admin roles in SCCM.

Today, in our test environment, we tried an offline eicar test, with the test notebook off of the company network.

FEP alerted and cleaned eicar from the system. We rebooted and connected to the company network.

It took over 90 minutes for an alert to be triggered by FEP.

As for support, I cannot disagree with the other post, Symantec support CAN end up taking days to resolve an issue.

But, between the two, I'd stick with Symantec.

Login to vote